Secret Repairs Preceded TCP Flaw Release

Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches.

The TCP issue publicized yesterday was publicly known as early as 1998. It allows an attacker to reset an existing TCP session using specially crafted TCP packets. Most TCP sessions are short-lived, so the vulnerability has little impact, but certain critical protocols, such as Border Gateway Protocol (BGP), depend on long-lived sessions. The weakness, which affects widely-used Cisco and Juniper routers, can be addressed by using MD5 authentication to secure BGP sessions, a step most ISPs had never taken because an exploit seemed mathematically implausible.

Paul Watson came up with a more efficient way of exploiting the vulnerability, making the attack much faster, particularly for attackers controlling "bot networks" of compromised machines. The clock began ticking March 14, when Watson announced plans to present a paper on "specific security problems in the TCP protocol" at the CanSecWest conference on April 21.

Watson shared his plans with government computer security officials in the US and UK, who coordinated a response with vendors and major network operators. "We have known about the fixes for about a week and implemented them last weekend," said Bill Hancock, Chief Security Officer for Savvis Communications, which operates the former Cable & Wireless US network backbone. Communication was handled through back-channels established in February 2001 to deploy patches for the SNMP protocol, Hancock said.

The use of MD5 authentication shouldn't affect network performance, Hancock said. "MD5 is an efficient checksum facility and most network operators never operate the core backbones at max capacity, and are intentionally overengineered to deal with situations like this as well as network overloads," he said.

Adding BGP authentication is not a trivial undertaking, however, and network security teams were also busy installing critical Microsoft security updates, which took an an urgent quality amid rumors of a Windows "super exploit". The repair window for the TCP flaw may have been shorter than hoped, as posts to network operator mailing lists suggest the bulletins were released a day early due to press attention.

Some network professionals say the TCP issue is overstated. If a hacker with a network of bots desires to take out a router, they argue, it's simpler to overwhelm the device with a brute force DOS attack than take the time and effort to exploit the TCP weakness. Hancock, who advocates a compete overhaul of core Internet protocols to make them more secure, calls it a "medium-level vulnerability." A new IETF submission proposes small changes in TCP to address the issue.